Dynamic protection of one or more deployed copies of a master operating system image

ABSTRACT

Methods, apparatuses, and computer program products for dynamic protection of one or more deployed copies of a master operating system image are provided. Embodiments include monitoring, by an image deployment monitor, an operational state of a deployed copy of a master operating system (OS) image; detecting, by the image deployment monitor, a change in the operational state of the deployed copy of the master OS image; in response to detecting the change, generating, by the image deployment monitor, a configuration recommendation to prevent the change from occurring in operational states of one or more other deployed copies of the master OS image; and providing, by the image deployment monitor, the configuration recommendation to the one or more other deployed copies of the master OS image.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The field of the invention is data processing, or, more specifically, methods, apparatuses, and computer program products for dynamic protection of one or more deployed copies of a master operating system image.

2. Description of Related Art

In modern data centers, system administrators often maintain a collection of master operating system (OS) images that are reserved for deployment unto new systems as these systems become operational. A master OS image is a boot device image that includes a representation of a computer program and its related data such as a kernel, file system, and libraries at a particular given point in time. Master OS images or “Golden” master OS images imply a degree of trust and stability based on prior quality assessments performed against them. After creating a master OS image, threats may arise that challenge the integrity of the configuration of the master OS image.

SUMMARY OF THE INVENTION

Methods, apparatuses, and computer program products for dynamic protection of one or more deployed copies of a master operating system image are provided.

Embodiments include monitoring, by an image deployment monitor, an operational state of a deployed copy of a master operating system (OS) image; detecting, by the image deployment monitor, a change in the operational state of the deployed copy of the master OS image; in response to detecting the change, generating, by the image deployment monitor, a configuration recommendation to prevent the change from occurring in operational states of one or more other deployed copies of the master OS image; and providing, by the image deployment monitor, the configuration recommendation to the one or more other deployed copies of the master OS image.

The foregoing and other objects, features and advantages of the invention will be apparent from the following more particular descriptions of exemplary embodiments of the invention as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts of exemplary embodiments of the invention.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 sets forth a block diagram of automated computing machinery comprising an exemplary management server useful in dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention.

FIG. 2 sets forth a block diagram of a system comprising another example management server useful in dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention.

FIG. 3 sets forth a flow chart illustrating an exemplary method for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention.

FIG. 4 sets forth a flow chart illustrating a further exemplary method for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Exemplary methods, apparatuses, and computer program products for dynamic protection of one or more deployed copies of a master operating system image in accordance with the present invention are described with reference to the accompanying drawings, beginning with FIG. 1. Dynamic protection of one or more deployed copies of a master operating system image in accordance with the present invention is generally implemented with computers, that is, with automated computing machinery. For further explanation, therefore, FIG. 1 sets forth a block diagram of automated computing machinery comprising an exemplary management server (152) useful in dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention. The management server (152) of FIG. 1 includes at least one computer processor (156) or ‘CPU’ as well as random access memory (168) (‘RAM’) which is connected through a high speed memory bus (166) and bus adapter (158) to processor (156) and to other components of the management server (152).

Stored in RAM (168) is an image deployment monitor (199) that includes computer program instructions for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention. Specifically, the image deployment monitor (199) includes computer program instructions that when executed by the computer processor (156) cause the image deployment monitor (199) to carry out the step of monitoring an operational state of a deployed copy of a master operating system (OS) image. In the example of FIG. 1, the management server (152) is configured to monitor deployed copies (191, 192) on client systems (182) where the original master OS image (194), from which the copies (191, 192) were deployed, resides within a repository (189).

The image deployment monitor (199) also includes computer program instructions that when executed by the computer processor (156) cause the image deployment monitor (199) to carry out the step of detecting a change in the operational state of the deployed copy (191, 192) of the master OS image (194). An operational state of a deployed copy may be any type of monitorable characteristics related to the deployed copy, such as a physical state of the system upon which the copy is deployed; server performance; network performance; and security. Examples of changes in the operational state of a deployed copy include system errors or failure to communicate with a peripheral device.

The image deployment monitor (199) also includes computer program instructions that when executed by the computer processor (156) cause the image deployment monitor (199) to carry out the steps of generating in response to detecting the change, a configuration recommendation to prevent the change from occurring in operational states of one or more other deployed copies of the master OS image; and providing, by the image deployment monitor (199), the configuration recommendation to the one or more other deployed copies of the master OS image.

By using a configuration recommendation to prevent a change detected in a deployed copy of a master OS image (194), from occurring in other concurrently deployed copies, the image deployment monitor (199) may protect the other deployed copies against threats that have arisen after the creation of the master OS image. Thus, the image deployment monitor provides dynamic protection to the deployed copies of the master OS image.

Also stored in RAM (168) is an operating system (154). Operating systems useful dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention include UNIX™, Linux™, Microsoft XP™, AIX™, IBM's i5/OS™, and others as will occur to those of skill in the art. The operating system (154) and the image deployment monitor (199) in the example of FIG. 1 are shown in RAM (168), but many components of such software typically are stored in non-volatile memory also, such as, for example, on a disk drive (170).

The management server (152) of FIG. 1 includes disk drive adapter (172) coupled through expansion bus (160) and bus adapter (158) to processor (156) and other components of the management server (152). Disk drive adapter (172) connects non-volatile data storage to the management server (152) in the form of disk drive (170). Disk drive adapters useful in computers for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention include Integrated Drive Electronics ('IDE') adapters, Small Computer System Interface (SCSI') adapters, and others as will occur to those of skill in the art. Non-volatile computer memory also may be implemented for as an optical disk drive, electrically erasable programmable read-only memory (so-called ‘EEPROM’ or ‘Flash’ memory), RAM drives, and so on, as will occur to those of skill in the art.

The example management server (152) of FIG. 1 includes one or more input/output (‘I/O’) adapters (178). I/O adapters implement user-oriented input/output through, for example, software drivers and computer hardware for controlling output to display devices such as computer display screens, as well as user input from user input devices (181) such as keyboards and mice. The example management server (152) of FIG. 1 includes a video adapter (183), which is an example of an I/O adapter specially designed for graphic output to a display device (180) such as a display screen or computer monitor. Video adapter (183) is connected to processor (156) through a high speed video bus (164), bus adapter (158), and the front side bus (162), which is also a high speed bus.

The exemplary management server (152) of FIG. 1 includes a communications adapter (167) for data communications with the repository (189) and other computers, such as client computers (182) via a data communications network (100). Such data communications may be carried out serially through RS-232 connections, through external buses such as a Universal Serial Bus (‘USB’), through data communications networks such as IP data communications networks, and in other ways as will occur to those of skill in the art. Communications adapters implement the hardware level of data communications through which one computer sends data communications to another computer, directly or through a data communications network. Examples of communications adapters useful for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention include modems for wired dial-up communications, Ethernet (IEEE 802.3) adapters for wired data communications network communications, and 802.11 adapters for wireless data communications network communications.

For further explanation, therefore, FIG. 2 sets forth a block diagram of a system comprising another example management server (252) useful in dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention.

The system of FIG. 2 includes a management server (252) with an image deployment monitor (299) configured to monitor concurrently deployed copies of a master OS image. In the example of FIG. 2, the image deployment monitor (299) monitors a first deployed copy (291) deployed upon a first client system (241), a second deployed copy (276) on a second client system (240), and a third deployed copy (246) on a third client system (242). In the example of FIG. 2, only three deployed copies of a single master OS image are illustrated but the image deployment monitor (299) may be configured to monitor any number of deployed copies of any number of master OS images.

In the example of FIG. 2, the second deployed copy (276) and the third deployed copy (246) each has a directory that includes an associated blacklist (280, 260), a default configuration (282, 262), and other meta data (284, 264). A blacklist is a list indicating software modules that have been identified as creating problems on one or more deployed copies of the master OS image. That is, each software module listed in the blacklist has been associated with a negative change in an operational state of a deployed copy of a master OS image. The deployed copies may be configured to use the blacklists to determine which software modules should be prevented from being installed on the deployed copies. A default configuration is a collection of settings associated with deployment of a copy of a master OS image. For example, a default configuration may indicate how a particular drive is to be partitioned, memory allocated, and CPU and network bandwidth distributed. Other meta data may include rules, procedures, or any other type of information that may relate to deployment and execution of a copy of a master OS image.

During operation, the image deployment monitor (299) may receive one or more alerts (230) from the first deployed copy (291). An alert may indicate an operational state of the deployed copy (291). Examples of operational states may include a system error or loss of contact with a peripheral device. An alert may also indicate a configuration change in the first deployed copy (291). Examples of configuration changes may include installation of a software component, such as a device driver, or modification of a resource allocation, such as changing the size of memory, CPU bandwidth, or network bandwidth.

Based on information within one or more alerts (230), the image deployment monitor (299) may generate a configuration recommendation (232). For example, the image deployment monitor (299) may determine that the first deployed copy (291) installed a device driver and shortly afterwards experienced a system crash. In this example, the image deployment monitor (299) may conclude that the installation of the device driver was the cause of the system crash. Based on this conclusion, the configuration recommendation generated by the image deployment monitor (299) may specify an action designed to prevent the crash from occurring in other concurrently deployed copies of the master OS image. For example, the configuration recommendation may include an instruction to add the device driver to the blacklist (280) associated with the second deployed copy (276) and the blacklist (260) associated with the third deployed copy (246).

The image deployment monitor (299) may provide the configuration recommendation (232) to the other deployed copies (276, 246). For example, the other deployed copies (276, 246) may utilize adjustment modules (274, 244) to examine the blacklists (280, 260), the default configurations (282, 262), and other meta data (284, 264), respectively, to determine which installations of software modules to prevent, which hardware and software configurations to apply, and other rules or information associated with deployment. The adjustment modules (274, 244) are capable of utilizing information gathered from other deployed copies. That is, the adjustment modules (274, 244) are capable of modifying a deployed copy of a master OS image using special instructions or via deployment policy settings. In the example of FIG. 2, each of the other deployed copies (276, 246) has an associated directory stored on its client system. However, in other embodiments, the management server may maintain at the management server, a directory for one or more deployed copies.

For further explanation, FIG. 3 sets forth a flow chart illustrating an exemplary method for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention. The method of FIG. 3 includes monitoring (302), by an image deployment monitor (301), an operational state (350) of a deployed copy (303) of a master operating system (OS) image (394). Monitoring (302) an operational state (350) of a deployed copy (303) of a master operating system (OS) image (394) may be carried out by installing a monitoring agent on the deployed copy. A monitoring agent may be configured to monitor data metrics such as availability and performance of an operating system and specific applications installed on a system associated with the deployed copy. That is, the image deployment monitor may act as a management hub for collecting and reporting on the data metrics gathered by the monitoring agents.

An operational state may be any type of monitorable characteristics related to the deployed copy. For example, an operational state may indicate a physical state of the system upon which the deployed copy resides, such as temperatures, chassis integrity, power supply, and fan speed. As another non-limiting example, an operational state may be related to server performance, such as SNMP monitoring, hard disk utilization, file integrity and size, memory utilization, CPU utilization, cache utilization, and other processes related to server performance. An operational state may be related to performance of a particular service, such as DNS, HTTP, FTP, Telnet, NNTP, SMTP. An operational state may also relate to network monitoring such as network throughput, current logons, failover/cluster monitoring or web site monitoring, such as hit rate, page content verification, database connection verification, and cache rate. Security parameters may also be indicated by an operational state, such as intrusion monitoring and login error monitoring.

The method of FIG. 3 includes detecting (304), by the image deployment monitor (301), a change in the operational state (350) of the deployed copy (303) of the master OS image (394). Non-limiting examples of changes in operational states include system errors or failures related to a particular monitorable characteristic of a deployed copy. Detecting (304), by the image deployment monitor (301), a change in the operational state (350) of the deployed copy (303) of the master OS image (394) may be carried out by receiving from a monitoring agent, an alert indicating a change in the monitored operational state of a deployed copy. For example, an alert may indicate a particular type of system error, a failure to communicate with a virtual peripheral device, or any other type of information related to an operational state.

The method of FIG. 3 includes generating (306) in response to detecting the change, by the image deployment monitor (301), a configuration recommendation (332) to prevent the change from occurring in operational states of one or more other deployed copies (394) of the master OS image. Generating (306) in response to detecting the change, a configuration recommendation (332) to prevent the change from occurring in operational states of one or more other deployed copies (394) of the master OS image may be carried out by determining a cause of the change in operational state; identifying a preventative action corresponding to the cause of the change; and specifying the preventative action within the configuration recommendation. For example, if the change in an operational state is determined to be due to addition of a software module, the image deployment monitor (301) may specify within the configuration recommendation, a preventative action designed to prevent installation of the software module in other concurrently deployed copies. In this example, the configuration recommendation may indicate a preventative action of adding the software module to a blacklist. As another example, if the change in operational state is due to insufficient resources, such as insufficient network bandwidth, CPU bandwidth, or memory space, the preventative action indicated in the configuration recommendation may specify changing the default configuration of other concurrently deployed copies of the master OS image. In this example, the configuration recommendation may change the amount of network bandwidth, CPU bandwidth, or memory space available to the other concurrently deployed copies of the master OS image.

The method of FIG. 3 also includes providing (308), by the image deployment monitor (301), the configuration recommendation (332) to the one or more other deployed copies (394) of the master OS image. As explained above, a configuration recommendation is designed to prevent a particular change from occurring in other concurrently deployed copies. To accomplish this task, a configuration recommendation may include different types of data. For example, if the configuration recommendation is designed to prevent installation of a particular software component, the configuration recommendation may include data specifying attributes of offending software modules, such as version number, author, and distribution number. Providing (308), by the image deployment monitor (301), the configuration recommendation (332) to the one or more other deployed copies (394) of the master OS image may be carried out by using direct or indirect communication to communicate with other deployed copies.

For further explanation, FIG. 4 sets forth a flow chart illustrating a further exemplary method for dynamic protection of one or more deployed copies of a master operating system image according to embodiments of the present invention. The method of FIG. 4 is similar to the method of FIG. 3 in that the method of FIG. 4 also includes monitoring (302) an operational state (350) of a deployed copy (303) of a master operating system (OS) image (394); detecting (304) a change in the operational state (350) of the deployed copy (303) of the master OS image (394); generating (306) in response to detecting the change, a configuration recommendation (332) to prevent the change from occurring in operational states of one or more other deployed copies of the master OS image (394); and providing (308) the configuration recommendation (332) to the one or more other deployed copies of the master OS image (394).

In the method of FIG. 4, however, detecting (304) a change in the operational state (350) of the deployed copy (303) of the master OS image (394) includes receiving (402) an alert from the deployed copy (303) of the master OS image. An alert may indicate an operational state of the deployed copy (291). Examples of operational states may include a system error or loss of contact with a peripheral device. An alert may also indicate a configuration change in the first deployed copy (291). Examples of configuration changes may include installation of a software component, such as a device driver, or modification of a resource allocation, such as changing the size of memory, CPU bandwidth, or network bandwidth. Receiving (402) an alert from the deployed copy (303) of the master OS image may be carried out by communicating directly or indirectly with a deployed copy of a master OS image.

In the method of FIG. 4, however, providing (308) the configuration recommendation (332) to the one or more other deployed copies of the master OS image (394) includes updating (404) a directory (499) associated with at least one of the one or more other deployed copies (394) of the master OS image. A directory may include information collection module useful for dynamic protection of a deployed copy of a master OS image, such as an associated blacklist, a default configuration, and other meta data. A blacklist is a list indicating software modules that have been identified as creating problems on one or more deployed copies of the master OS image. That is, each software module listed in the blacklist has been associated with a negative change in an operational state of a deployed copy of a master OS image. The deployed copies may be configured to use the blacklists to determine which software modules should be prevented from being installed on the deployed copies. A default configuration is a collection of settings associated with deployment of a copy of a master OS image. For example, a default configuration may indicate how a particular drive is to be partitioned, memory allocated, and CPU and network bandwidth distribution. Other meta data may include rules, procedures, or any other type of information that may relate to deployment and execution of a copy of a master OS image. Updating (404) a directory (499) associated with at least one of the one or more other deployed copies (394) of the master OS image may be carried out by instructing a deployed copy to make a change to a blacklist, default configuration, or other meta data.

Exemplary embodiments of the present invention are described largely in the context of a fully functional computer system for dynamic protection of one or more deployed copies of a master operating system image. Readers of skill in the art will recognize, however, that the present invention also may be embodied in a computer program product disposed upon computer readable storage media for use with any suitable data processing system. Such computer readable storage media may be any storage medium for machine-readable information, including magnetic media, optical media, or other suitable media. Examples of such media include magnetic disks in hard drives or diskettes, compact disks for optical drives, magnetic tape, and others as will occur to those of skill in the art. Persons skilled in the art will immediately recognize that any computer system having suitable programming means will be capable of executing the steps of the method of the invention as embodied in a computer program product. Persons skilled in the art will recognize also that, although some of the exemplary embodiments described in this specification are oriented to software installed and executing on computer hardware, nevertheless, alternative embodiments implemented as firmware or as hardware are well within the scope of the present invention.

As will be appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method or computer program product. Accordingly, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present invention may take the form of a computer program product embodied in one or more computer readable medium(s) having computer readable program code embodied thereon.

Any combination of one or more computer readable medium(s) may be utilized. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Computer program code for carrying out operations for aspects of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).

Aspects of the present invention are described above with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

It will be understood from the foregoing description that modifications and changes may be made in various embodiments of the present invention without departing from its true spirit. The descriptions in this specification are for purposes of illustration only and are not to be construed in a limiting sense. The scope of the present invention is limited only by the language of the following claims. 

What is claimed is:
 1. An apparatus for dynamic protection of one or more deployed copies of a master operating system image, the apparatus comprising a computer processor, a computer memory operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions that, when executed by the computer processor, cause the apparatus to carry out the steps of: monitoring, by an image deployment monitor, an operational state of a first deployed copy of a master operating system (OS) image executing on a first client system; detecting, by the image deployment monitor, a change in the operational state of the first deployed copy of the master OS image executing on the first client system; in response to detecting the change, generating, by the image deployment monitor, a configuration recommendation to prevent the change in the operational state of the first deployed copy of the master OS image executing on the first client system from occurring in an operational state of a second deployed copy of the master OS image executing on a second client system, wherein the configuration recommendation recommends, for the second deployed copy of the master OS image executing on the second client system, a specific change in size of a resource allocation of a resource; wherein the second deployed copy of the master OS image executing on the second client system includes an adjustment module configured to modify the second deployed copy of the master OS image based on the configuration recommendation; and providing, by the image deployment monitor, the configuration recommendation to the second deployed copy of the master OS image executing on the second client system.
 2. The apparatus of claim 1 wherein providing, by the image deployment monitor, the configuration recommendation to the second deployed copy of the master OS image includes updating a directory associated with the second deployed copy of the master OS image executing on the second client system; and wherein the directory indicates at least one of a list of blacklisted components, and default configurations settings for an operating system within deployed copies of the master OS image.
 3. The apparatus of claim 1 wherein the configuration recommendation recommends a change to default configuration settings for an operating system within deployed copies of the master OS image.
 4. The apparatus of claim 1 wherein the configuration recommendation recommends addition of a software component to a list of components blacklisted from being installed on deployed copies of the master OS image.
 5. The apparatus of claim 1 wherein detecting, by the image deployment monitor, a change in the operational state of the first deployed copy of the master OS image executing on the first client system includes receiving an alert from the first deployed copy of the master OS image executing on the first client system; and wherein the alert indicates the change in the operational state of the first deployed copy of the master OS image executing on the first client system.
 6. A computer program product for dynamic protection of one or more deployed copies of a master operating system image, the computer program product includes a non-transitory computer readable storage medium, wherein the non-transitory computer readable storage medium is not a signal, the computer program product comprising computer program instructions that, when executed, cause a computer to carry out the steps of: monitoring, by an image deployment monitor, an operational state of a first deployed copy of a master operating system (OS) image executing on a first client system; detecting, by the image deployment monitor, a change in the operational state of the first deployed copy of the master OS image executing on a first client system; in response to detecting the change, generating, by the image deployment monitor, a configuration recommendation to prevent the change in the operational state of the first deployed copy of the master OS image executing on the first client system from occurring in an operational state of second deployed copy of the master OS image executing on a second client system, wherein the configuration recommendation recommends, for the second deployed copy of the master OS image, a specific change in size of a resource allocation of a resource; wherein the second deployed copy of the master OS image executing on the second client system includes an adjustment module configured to modify the second deployed copy of the master OS image based on the configuration recommendation; and providing, by the image deployment monitor, the configuration recommendation to the second deployed copy of the master OS image executing on the second client system.
 7. The computer program product of claim 6 wherein providing, by the image deployment monitor, the configuration recommendation to the second deployed copy of the master OS image includes updating a directory associated with the second deployed copy of the master OS image executing on the second client system; and wherein the directory indicates at least one of a list of blacklisted components, and default configurations settings for an operating system within deployed copies of the master OS image.
 8. The computer program product of claim 6 wherein the configuration recommendation recommends a change to default configuration settings for an operating system within deployed copies of the master OS image.
 9. The computer program product of claim 6 wherein the configuration recommendation recommends addition of a software component to a list of components blacklisted from being installed on deployed copies of the master OS image.
 10. The computer program product of claim 6 wherein detecting, by the image deployment monitor, a change in the operational state of the first deployed copy of the master OS image executing on the first client system includes receiving an alert from the first deployed copy of the master OS image executing on the first client system; and wherein the alert indicates the change in the operational state of the first deployed copy of the master OS image executing on the first client system. 